New White House petition seeks to legitimize DDoS attacks

Supporters argue that shutting down a website is a type of civil disobedience.

This week, a petition was filed on the White House's "We the People" website that aims to legitimize the use of distributed denial of service attacks (DDoS) as a legitimate form of protest.

“It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any ‘occupy,’ protest,” the petition states.

“Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time. As part of this petition, those who have been jailed for DDoS should be immediately released and have anything regarding a DDoS, that is on their ‘records,’ cleared.”

Some have speculated that Anonymous is behind the petition—but Anons aren’t the only one making this argument: Evgeny Morozov, a Belarus-born tech author, scholar, and journalist made a similar case back in December 2010.

However, he later warned: “Declaring that DDoS is a form of civil disobedience is not the same as proclaiming that such attacks are always effective or likely to contribute to the goals of openness and transparency pursued by Anonymous and WikiLeaks. Legitimacy is not the same thing as efficacy, even though the latter can boost the former. In fact, the proliferation of DDoS may lead to a crackdown on Internet freedom, as governments seek to establish tighter control over cyberspace.”

The White House's "We the People" website opened in 2011 and allows anyone to submit a petition to the government on any topic. If a petition gets 25,000 signatures or more, the Obama Administration will be compelled to provide a formal response. Most responses have been fairly mild, however—save releasing the White House beer recipe in late 2012.

75 Reader Comments

I was going to post a kneejerk reply: fine, pay the business the damages they'd incur while their site were down and go knock yourself out DDoS-ing the crap out of it.

But then I realized they might be right. Protesting outside a business or boycotting said business or handing out leaflets in front of their building, also leads to monetary losses, and that's protected as free speech. What's the difference?

Then I remembered that DDoS attacks are usually carried out from compromised networks of zombie computers without the knowledge of their owners, and it hurts the computer owner and their ISP and business' ISP and the business.

A sit in requires a commitment by a large number of people to volunteer their time and energy to make a political statement. It's also public, so you'll want to be sure the statement made is something you want your peers to know about. That's not the same as writing a script that hammers away at a site, and certainly not the same as hijacking other people's computers to do so as is the common practice.

I view a DDoS attack as occupying private property. You're not standing on the street corner with a picket in hand, you're a crowd of folks going into the store to jam it so full no one else can get in.

IANAL (hate that acronym), but aren't there laws against unruly crowds getting together causing disruption? Prosecuting DDoS could be seen as the same.

Can we all as a society just stop it with this We The People site? I mean, great that the White House will officially comment on this stuff, but what it really does is let news sites explain that a group of goofy people "signed" a petition that is equally goofy.

Just go check the stuff that people are petitioning the government to do. It's silly.

I was going to post a kneejerk reply: fine, pay the business the damages they'd incur while their site were down and go knock yourself out DDoS-ing the crap out of it.

But then I realized they might be right. Protesting outside a business or boycotting said business or handing out leaflets in front of their building, also leads to monetary losses, and that's protected as free speech. What's the difference?

Then I remembered that DDoS attacks are usually carried out from compromised networks of zombie computers without the knowledge of their owners, and it hurts the computer owner and their ISP and business' ISP and the business.

There's your difference.

But those things are already illegal. So that's not the difference. Unless they're trying to say that taking over someone else's machine, with no notice against their will, is legit if you do it to DDoS.

I view a DDoS attack as occupying private property. You're not standing on the street corner with a picket in hand, you're a crowd of folks going into the store to jam it so full no one else can get in.

IANAL (hate that acronym), but aren't there laws against unruly crowds getting together causing disruption? Prosecuting DDoS could be seen as the same.

I view a DDoS more as someone dumping a bunch of garbage into a store so that it occupies space and no one can enter. Thereby taking away choice from people who wish to go there still as well as other issues. All of this without having to identify who you are or why you are even doing it and almost no commitment from those operating it.

Can we all as a society just stop it with this We The People site? I mean, great that the White House will officially comment on this stuff, but what it really does is let news sites explain that a group of goofy people "signed" a petition that is equally goofy.

Just go check the stuff that people are petitioning the government to do. It's silly.

I was going to post a kneejerk reply: fine, pay the business the damages they'd incur while their site were down and go knock yourself out DDoS-ing the crap out of it.

But then I realized they might be right. Protesting outside a business or boycotting said business or handing out leaflets in front of their building, also leads to monetary losses, and that's protected as free speech. What's the difference?

Then I remembered that DDoS attacks are usually carried out from compromised networks of zombie computers without the knowledge of their owners, and it hurts the computer owner and their ISP and business' ISP and the business.

There's your difference.

It's illegal to block the entrance to a building for numerous reasons and protesting even with a permit has rules.

DDoS attacks are not legal and blocking access to a website isn't civil disobedience, it's removing another' right to free speech entirely.

Which in my opinion should never be legal, even for the wackiest of wack-jobs.

I want DDoSing to be made legal, and then watch as 4chan and any other Anonymous-sympathizing site/IRC server gets taken down by a single large corporation that has been attacked by them (in "protest", of course).

Imagine if a group decided to protest a business by getting a large number of people to go in simply to request change. The store is not earning revenue on these transactions, and quickly run out of small bills. The protesters refuse to leave the checkout counter until they get change, and the whole thing grinds to a halt.

Now these protesters no not provide any reason for their behavior while they are doing it, but have separately mailed a letter to the store manager and the local newspaper on the subject. The manager is too busy dealing with the chaos to read the letter, and may not even understand it. The newspaper may not publish or report on their letter, and if they do, legitamate store customers are unlikely to read it. They will simply remember the terrible customer service they received.

In order for a protest to be protected as free speech, it should directly and inherently carry a message. A DDoS does not do this.

This is absolute bunk, and I'll tell you why. Protests take place on public property - such as a public road and public sidewalks. It is not legal to march inside a bank with picket signs because the bank leases or owns that property nor is it legal to protest on a private road or in private lawns.

A DDoS does not involve private individuals' computers sitting on public property. It involves their private computers taking the private resources the 'protestors' lease from their ISPs, using them in a way their ISPs contractually ban (breach of contract), clogging private routers and adding congestion to the Internet, clogging the data center that the target server is set up in - that center's own infrastructure - and lastly taking up quantifiably limited resources that a victim leases from a private entity.

At no point does a DDoS travel over taxpayer funded infrastructure. It is not a protest and never will be.

I was going to post a kneejerk reply: fine, pay the business the damages they'd incur while their site were down and go knock yourself out DDoS-ing the crap out of it.

But then I realized they might be right. Protesting outside a business or boycotting said business or handing out leaflets in front of their building, also leads to monetary losses, and that's protected as free speech. What's the difference?

Then I remembered that DDoS attacks are usually carried out from compromised networks of zombie computers without the knowledge of their owners, and it hurts the computer owner and their ISP and business' ISP and the business.

There's your difference.

It's illegal to block the entrance to a building for numerous reasons and protesting even with a permit has rules.

DDoS attacks are not legal and blocking access to a website isn't civil disobedience, it's removing another' right to free speech entirely.

Which in my opinion should never be legal, even for the wackiest of wack-jobs.

Nicely put. This.

Edit: also, most DDoS attacks are "bought" via zombie networks, so it's like (to bring out the tortured metaphor machine again) someone drugging people via their milk, then another person paying that person to force them all to gather outside a business with the intent of preventing anyone from patronising it. It's not speech it's purchased intimidation.

But then I realized they might be right. Protesting outside a business or boycotting said business or handing out leaflets in front of their building, also leads to monetary losses, and that's protected as free speech. What's the difference?

Protestors can't physically block the entrance to a business or building. A "successful" ddos blocks other users that may actually agree with the business and want to support it.

EDIT:I should have read the other comments before replying.This comment brought to you by the Department of Redundancy Department.

A sit in requires a commitment by a large number of people to volunteer their time and energy to make a political statement. It's also public, so you'll want to be sure the statement made is something you want your peers to know about. That's not the same as writing a script that hammers away at a site, and certainly not the same as hijacking other people's computers to do so as is the common practice.

Exactly.

Also, when I attend a public, in-person protest, I am:

Personally identifiable. You can see my face. I can be identified in conjunction with the cause.

Personally and physically present to be arrested if I break a law.

Attentive in real time. The people being protested can make their case and I can hear them. The dialog is (or at least can be) two-way.

Not blocking access to the protested site; only impeding it.

Making a case that visitors and bystanders can see and perhaps even understand. But a DDoS'd site is, from the visitor's point, just broken. The visitor is never made aware that the breakage stems from a protest.

The idea of DDoS as anything resembling fair-play activism and/or protest is just plain moronic.

Whilst i believe that DDoS should not be "legalised" for the reasons stated above, I do believe that consumer rights need to be better supported by the governments around the world when dealing online. So many times I have hit brick wall after brick wall with complaining to websites (especially E-retailers). If industries cannot regulate their own complaints process then it is up to the government to protect the individual from abuse of consumer rights. In my opinion of course.

I was going to post a kneejerk reply: fine, pay the business the damages they'd incur while their site were down and go knock yourself out DDoS-ing the crap out of it.

But then I realized they might be right. Protesting outside a business or boycotting said business or handing out leaflets in front of their building, also leads to monetary losses, and that's protected as free speech. What's the difference?

Then I remembered that DDoS attacks are usually carried out from compromised networks of zombie computers without the knowledge of their owners, and it hurts the computer owner and their ISP and business' ISP and the business.

There's your difference.

No, the difference is that if you're standing outside protesting or handing out leaflets, you're not physically barring anyone from entering the business. The latter is what DDoS does, and that's where it crosses the line.

Personally, I find the laws restricting protest to be excessive... In the same country that glorifies the Boston Tea Party you can barely walk down the street with a sign without risking arrest.

You can walk down the street just fine with a protest sign; people do it daily, hourly even. You only have to apply for a permit under certain circumstances (large numbers of people, blocking traffic, ect.) which makes perfect sense.

The idea that somehow you can't do this is born out of sheer unmitigated crazy.

Quote:

It's illegal to block the entrance to a building for numerous reasons and protesting even with a permit has rules.

DDoS attacks are not legal and blocking access to a website isn't civil disobedience, it's removing another' right to free speech entirely.

Which in my opinion should never be legal, even for the wackiest of wack-jobs.

Indeed. These people are morons.

You want to DDOS? You get put in jail for it. The same thing happens if you tresspass on private property.

Quote:

Imagine if a group decided to protest a business by getting a large number of people to go in simply to request change. The store is not earning revenue on these transactions, and quickly run out of small bills. The protesters refuse to leave the checkout counter until they get change, and the whole thing grinds to a halt.

If you refuse to leave private property when you've been asked to leave, you're tresspassing and can be arrested.

I kind of half hope that the government looks at the IP addresses of those who sign the petition, but maybe that's a little Machiavellian.

I want DDoSing to be made legal, and then watch as 4chan and any other Anonymous-sympathizing site/IRC server gets taken down by a single large corporation that has been attacked by them (in "protest", of course).

That would almost make it worth it... almost.

It's 2013 and there's still this belief that the chans are some sekret club?

Seems like there's already a very near consensus on this being a stupid analogy, so I'll just agree with the crowd.

I do wonder if the White House would like to pound on the person who came up with this idea. I'm sure it sounded really awesome when it was pitched. Yet they seem to have forgotten just how stupid a lot of people are.

I think you could make the argument that under the right circumstances this could be workable. Everyone makes the assumption that you are taking over using a botnet of hijacked computers. Why can't legitimate, easy to use software, that you could run from a system you own. It would require the scale of people to make it so a few select few can't make it happen, the owner has recourse to stop the attack by stopping the ddos the same way you stop all ddos , and there will still be civil/criminal penalties for those who are involved just as it has been. You don't have to stop the site you can slow it down.

As far as fighting for the right to deny others the right to free speech. It's a temporary measure and if it's actually being carried out as a large group rather then scripts/botnets I still don't see an issue with this. The site will be back up, people will have made their point and they will get bored (this entire thing is under the premise that we can actually force people to basically f5 a site for a long time making it impossible to carry out for long periods, I know I should have elaborated on this earlier but it's late and I'm trying to get home =P), if people care enough to do this for extended periods then it brings more attention to the cause and this strategy has worked before.

I realize in reality there is no way to enforce something like this so it's completely moot but I think as a principle the ddos could be used under a rule set to legitimize it.

I think you could make the argument that under the right circumstances this could be workable. Everyone makes the assumption that you are taking over using a botnet of hijacked computers. Why can't legitimate, easy to use software, that you could run from a system you own. It would require the scale of people to make it so a few select few can't make it happen, the owner has recourse to stop the attack by stopping the ddos the same way you stop all ddos , and there will still be civil/criminal penalties for those who are involved just as it has been. You don't have to stop the site you can slow it down.

As far as fighting for the right to deny others the right to free speech. It's a temporary measure and if it's actually being carried out as a large group rather then scripts/botnets I still don't see an issue with this. The site will be back up, people will have made their point and they will get bored (this entire thing is under the premise that we can actually force people to basically f5 a site for a long time making it impossible to carry out for long periods, I know I should have elaborated on this earlier but it's late and I'm trying to get home =P), if people care enough to do this for extended periods then it brings more attention to the cause and this strategy has worked before.

It doesn't matter if it's temporary or permanent; at the end of the day, you have damaged someone else's property. I wanted to visit a site, but I can't because some numbnuts on the internet decided I wasn't allowed to.

It's equivalent to a group of people preventing access to a business in the real world. That's temporary too; people will get bored and so forth. And it gets you arrested. So why not online?

Oh, and you can't DoS most sites with even 1 million people hitting F5. You need computer scripts and code to do it.

I was going to post a kneejerk reply: fine, pay the business the damages they'd incur while their site were down and go knock yourself out DDoS-ing the crap out of it.

But then I realized they might be right. Protesting outside a business or boycotting said business or handing out leaflets in front of their building, also leads to monetary losses, and that's protected as free speech. What's the difference?

Then I remembered that DDoS attacks are usually carried out from compromised networks of zombie computers without the knowledge of their owners, and it hurts the computer owner and their ISP and business' ISP and the business.

There's your difference.

And a protest won't step me from buying something from a store I like. A DDoS would knock it down for everyone.

I want DDoSing to be made legal, and then watch as 4chan and any other Anonymous-sympathizing site/IRC server gets taken down by a single large corporation that has been attacked by them (in "protest", of course).

That would almost make it worth it... almost.

It's 2013 and there's still this belief that the chans are some sekret club?

Which part of what I wrote implied that the chans are "some sekret club"?

To me this is rather stupid, especially their analogy. If they say its the same as hitting refresh a lot of times, does that mean that we should be able to use jackhammers on sidewalks to repeatedly walk on the same section? Because they are very clearly basically the same thing...

I never understood why people complain about government being against civil disobedience. Now, before I'm downvoted to oblivion, hear me out.

The whole point of civil disobedience is making your point in form of a protest the government disagrees with. Typically, if the government disagrees with your form of protest, they will act against it, and it will likely make the news, even if only a small town paper or local TV channel.

I disagreed with a lot of OWS's actions, but the one thing were good at was angering local, state/provincial and in some cases federal officials, prompting a pretty big backlash from civil servants and civilians. The backlash they received was enough for both national and international media to start printing the stories, and giving it air time.

Would that have happened if OWS protested in a manner that was convenient for the government? Doing a 9-5 protest with signs, then dispersing until the next day? Probably not. And that's the point of civil disobedience. It shouldn't be illegal, but the government's going to react. Otherwise you just aren't getting your message across.